Reputation

Cyber​​​​​​​​​​​​​​​​​​​​​crime​​​​​​​Crisis

Responsible crisis management is vital to maintaining company reputation in the wake of a cybersecurity breach.​​​​​​​​​​​​​​ Billy Bambrough considers w​​​​​​​hat to do when the worst happens

When it comes to cyber attacks, prevention is better than a cure, but if you’re dealing with criminals committed to breaking in, that’s not always possible.

Two-thirds of big British busin​​​​​​​esses have been hit by a cyber attack, according to the Department of Culture, Media and Sport’s Cyber Security Breaches Survey published in May last year. In 2015, more than three quarters of the Fortune 500 companies were also breached.

These attacks are expected to rise in both frequency and intensity as the data that companies hold on their customers and their operations becomes more valuable. And at the same time, the media backlash is climbing along with it.

Chief executives and senior company management are living in fear of a late night phone call telling them there has been a data breach and they need to make an announcement admitting it.

Such an announcement will mean lost sales, reputational damage and potential fines, no matter how much has been set to cover the costs of cybersecurity.

It’s always going to be a difficult time, but exactly how difficult depends on how the immediate aftermath is handled.

Brian West is the global crisis managing director at public relations company FleishmanHillard. He says there’s a fine balance between making a public statement and knowing exactly what has happened: wait too long and the story will run away with itself, make a statement before the facts are known and you might have to backtrack.

“If you delay communications until you know everything, you will never say anything,” says West. “Speed of response is critical; do not leave an information void that others can fill.”

The vital first day

Like many, West thinks it’s the first day following a breach that is going to be the most important for a company, setting the tone for the coverage of the incident.

“The first 24 hours are crucial,” West says. “A crisis involves downsides, but how quickly and how well the management team responds determines the level of reputational damage.”

West points to both TalkTalk and eBay – both of which took days to release a statement and notify their customers following a data breach – as examples of companies that misstepped here.

TalkTalk boss Dido Harding ran into difficulties when she went on TV and said she didn’t know how many customers were affected, escalating a relatively minor breach into a huge hack due to her uncertainty.

“How quickly and how well the manageme​​​​​​​nt team responds determines the level of reputational damage.”

Even worse, says West, US retailer Target’s customers first found out that their data was compromised through the digital security blog Krebs on Security, and not from the company itself.

Target reportedly knew about the data breaches for 12 days before taking action and its profits fell nearly 50% in its fourth fiscal quarter following the data breach, which is arguably one of the worst commercial corporate data breaches in history.

In this digital age, cyber breaches are no longer an ‘if’ but a ‘when’ and the digital landscape is become increasingly hostile, with the recent WannaCry incident affecting more than 220,000 computers in 150 countries and costing companies an estimated $8bn globally.

Meanwhile, the Internet of Things will continue to grow exponentially as the amount of connected devices, network traffic and smartphone connections increase, further adding to the risk.

The viral crisis

Over the last few years, the way news spreads and grows has changed. A lot of this is due to social media, which has come to define much of the way events are covered in the wider reporting press.

During the Asiana Airlines crash landing in 2013, for example, the first story came out on Twitter just 30 seconds after the crash, via a user at the scene.

“Years ago, communication professionals talked about the golden hour for responding to a crisis. Social media has truncated this to the golden second.”

“Years ago, communication professionals talked about the golden hour for responding to a crisis when the traditional news cycle held sway,” says West. “Social media has truncated this to the golden second: the news cycle is now instant and runs 24/7.

If a company tries to control and limit this flow of information they will fail – and those attempts to control could even add to problems.

“Crises are now measured in tweets per second and companies have to communicate at the speed of their audience,” West says. “Therefore, shorten the chain of command: shorten the review and approval process. During a crisis, the traditional command and control business unit structure will only doom organizations from the start.”

The whistle blower

How do you deal with the public relations fallout from a data breach that has come from within your own company? Companies have become increasingly wary of such an occurrence, in the wake of a number of high-profile leaks that have wreaked havoc on the businesses involved.

A little over a year ago the Panama Papers leak – fuelled by the subsequent media strategy – made headlines around the world, while the so-called Swiss Leaks the year before unveiled a damning tax evasion scheme involving British multinational bank HSBC.

In the case of the former, journalists from 107 media organizations in 80 countries analysed the documents known as the Panama Papers, detailing the operations of the law firm Mossack Fonseca and its high-profile clients. The law firm – previously described by The Economist as tight-lipped – leaked an astonishing 11 million documents and 2.6TB of data. This compares to the 1.7GB leaked by Wikileaks, 30GB lost by Ashley Madison and 230GB lost by Sony Pictures.

“The ‘it will never happen here’ syndrome doesn’t wash when it comes to cybersecurity.”

In a situation such as this, where public opinion is against you, the PR strategy must be all the more focused on moving forward.

Miles Dean, founding partner of Milestone International Tax Partners, warns risks need to be taken more seriously, but ultimately will only ever be mitigated by playing by the rules.

“The ‘it will never happen here’ syndrome doesn’t wash when it comes to cybersecurity,” says Dean. “Whistleblowers, on the other hand, can be avoided by ensuring the conduct of the bank, in particular its attitude to offshore money and tax evasion, is irreproachable.”

Roddy Buchanan, head of wealth management at WHIreland, agrees, saying that risk can be mitigated by “having very clear policies and procedures and ensuring that these are adhered to. Also having a second line of defence should it occur – such that any damage is contained.”

In the cast of HSBC’s Swiss Leaks, the bank was able to mitigate the fallout by pointing immediately to how it had changed since the allegations; taking control of the conversation and moving it on from past actions to present and future remedies.

A PR crisis – whether it’s a digital hack or something more traditional – is always going to be negative. Very few spinners will be able to transform a disaster into a success, but a good PR strategy can mean the difference between the chief exec being forced to resign or steering the company successfully through the data breach.

PR nightmares: Ten of the worst corporate data breaches

​​​​​​​​​​​​​​LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang